Variable Preview works unpredictable

anton.smolkov · December 21, 2020, 9:51pm

Greetings! Please help me to find out if i do something wrong or it is a bug.
If variable has sensitive value for one of the environments(scopes) sometimes it is shown as ***** for others.
Variables on the screenshots below actually have sensitive value only for “production” environment.

Also, you may notice that same-scoped (develop21, develop16) value is shown differently depending on “Environment” input.
This is definitely not a frontend-side issue, cause i have the same results through the API.

Version: 2020.5.1

donny.bell · December 14, 2020, 6:55pm

Hi @anton.smolkov,

Thank you for contacting Octopus Support. I’m sorry that you are running into this issue.

I am going to spin up a test environment and try to get this reproduced.

I’ll let you know what I figure out.

Regards,
Donny

donny.bell · December 15, 2020, 8:15pm

Hi @anton.smolkov,

Thank you for your patience.

I’ve not yet been successful at reproducing this issue. Would you be willing to share a screenshot with some of your variables for this project?

Example:

I look forward to hearing back from you.

Regards,
Donny

anton.smolkov · December 17, 2020, 7:27am

Hi!
Here it is:

donny.bell · December 17, 2020, 8:45pm

Hi @anton.smolkov,

Thank you for getting back to me and providing the screenshot.

I’m still unable to reproduce this issue on my end. Would it be possible for you to share a backup of your SQL db for analysis?

Let me know at your earliest convenience.

Regards,
Donny

anton.smolkov · December 18, 2020, 1:16pm

Hi!
I’ve found a pinpoint and the way to reproduce it. This is kind of funny =)

Now i’m not even sure that this is a big problem.
Except that it technically might be used for bruteforcing values of sensitive variables.

donny.bell · December 18, 2020, 5:11pm

Hi Anton,

Thank you for the example.

Unfortunately, I am still not having any luck in reproducing this on my end. I PMed you with instructions on how to upload your SQL db for analysis.

Let me know if you run into any issues.

Regards,
Donny

anton.smolkov · December 22, 2020, 10:13am

Hi! Ok, little more explanation:
If you have SENSITIVE variable with content e.g. - “Content1234” and NOT SENSITIVE variable with THE SAME content - “Content1234”, NOT SENSITIVE variable is shown as HIDDEN.

Take a look at screenshots above.

Kenneth_Bates · December 23, 2020, 10:16pm

Hi Anton,

Thank you kindly for following up and providing all this great information. I’m jumping in here for Donny over the holiday break.

I’ve been able to reproduce this behavior, where a sensitive and a non-sensitive variable with matching values will also mask the non-sensitive value in the variable preview. This is actually by design, and to try to prevent the value from showing up inadvertently in the logs or preview page, Octopus masks this value outright across the board. To avoid the possibility of bruteforcing these values, we’d suggest the approach of “don’t use passwords that are likely to occur in normal logging/language” (quoting this docs section).

I’m sorry for the confusion this has caused. Please let us know if you have any questions or concerns!

Best regards,

Kenny

anton.smolkov · December 24, 2020, 8:13am

I have no more questions. Thank you guys.

system · January 24, 2021, 8:13am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.